University Auditor
Audit Committee Charter

Statement of Purpose, Types of Audits, and Standards

Purpose
Education Code Section 89045, enacted by Chapter 1406 of the Statutes of 1969, provided for the establishment of an internal auditing function reporting directly to the Trustees of the California State University (CSU). Subsection (b) of the Code states that the duties of this function/internal audit staff shall include, but not be limited to, auditing, reviewing, cost and system analysis, analyzing and recommending operating procedures for the CSU. Subsection (c) of the Code states that management audits shall be made to determine the effectiveness and efficiency of the organization, operation, and procedures of each state university, each auxiliary organization, and the Office of the Chancellor. Subsection (d) of the Code states that audit staff shall perform audits, at least once every five years, of certain procurement and contracting activities, motor vehicle inspections, and real and personal property transactions pursuant to specified Sections of the Code.

In 1991, the Department of Finance (DOF) determined that it no longer had the staff resources required to perform internal control reviews of the CSU, as required by the Financial Integrity and State Manager's Accountability Act (FISMA) of 1983. The Office of Audit and Advisory Services (OAAS) began performing these reviews on all campuses once every two years. Beginning in calendar year 2010, cyclical audits of internal controls were reevaluated and discontinued due to a change in the OAAS audit risk assessment methodology and updated guidance from the DOF. Using the new procedure, the OAAS works with CSU campuses and Office of the Chancellor executive management to identify high-risk areas within the CSU system, and creates an annual audit plan using a risk assessment methodology.

In 1999, the Trustees' Committee on Audit took action at the January meeting of the Board, which required the OAAS to perform an internal compliance/internal control review of each auxiliary organization. The OAAS performs these reviews at all auxiliary organizations once every three years.

At its January 2008 meeting, the Trusteesí Committee on Audit directed the OAAS to continue its annual review of construction activity. Construction auditing had been performed by an external public accounting firm since fiscal year 1997/98 with coordination from the OAAS. In fiscal year 2008/09, the OAAS began performing construction audits.

In 2013, the Trustees' Committee on Audit took action at the January meeting of the Board to approve the addition of advisory services to the annual audit plan.

Types of Audits
With the guidance of the original legislation, as interpreted by Senator Harmer, and The International Standards for the Professional Practice of Internal Auditing (Institute of Internal Auditors), the OAAS uses a variety of audit techniques in its review of campus programs/resources. These audit techniques are commonly referred to as:

  • Operational Audits - Examine the use of unit resources to evaluate whether those resources are being used in the most effective and efficient manner to fulfill the University's mission and objectives. An operational audit may include elements of the other audit types listed below.


  • Financial Audits - Focus on accounting and reporting of financial transactions, including commitments, authorizations, and receipt and disbursement of funds. The purpose of this type of audit is to verify that there are sufficient controls over cash and cash-like assets, and that there are adequate process controls over the acquisition and use of resources. Unlike external financial audits, internal financial audits do not prepare or express professional opinions on the fairness of the presentation of financial statements.


  • Compliance Audits - Review adherence to laws, regulations, policies, and procedures. Examples include federal and state law, Trustee policies, and chancellor's office directives. Recommendations typically call for improvements in processes and controls intended to ensure compliance with regulations.


  • Information Systems (IS) Audits - Examine the internal control environment of automated information processing systems and how people use those systems. IS audits typically evaluate system input, output, and processing controls; backup and recovery plan; system security; and computer facility reviews. IS auditing projects can focus on existing systems, as well as systems in the development stage.


  • Internal Control Reviews - Focus on the components of the university and auxiliary organization major business activities. Areas such as payroll and benefits, cash handling, inventory and equipment and their physical security, grants and contracts, and financial reporting are usually subject to review.


  • Investigations - Seek to establish evidence of impropriety; imply a systematic track-down of information the auditor hopes to discover or needs to know. Investigations include alleged instances of fraud, waste and abuse, and improper governmental activities.


  • Advisory Services - More consultative in nature than traditional audits and performed in response to requests from campus management. Advisory services enhance awareness of risk, control and compliance issues and provide a proactive independent review and appraisal of specifically identified concerns. Advisory services may include internal control and risk management reviews, transition reviews, business process assessments, and other activities.

Standards
California Government Code Section 1236 (July 1983) requires that all state agencies that have their own internal auditors to:

... utilize the general and specified standards of internal auditing prescribed by the Institute of Internal Auditors (IIA).

In January 2009, the IIA issued the International Professional Practices Framework (IPPF) with two categories of guidance: Mandatory and Strongly Recommended. The three mandatory elements are the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). The three strongly recommended elements are Position Papers, Practice Advisories, and Practice Guides.

The definition of internal auditing states the fundamental purpose, nature, and scope as follows:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizationís operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

The Code of Ethics states the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities.

The Standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards consist of statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance; and interpretations, which clarify terms or concepts within the statements.

Section 2100 of the Standards outlines the nature of work of the OAAS and states that the internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. This includes:

2110 Governance Ė The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
  • Promoting appropriate ethics and values within the organization.
  • Ensuring effective organizational performance management and accountability.
  • Communicating risk and control information to appropriate areas of the organization.
  • Coordinating the activities of and communicating information among the board, external and internal auditors, and management.
The internal audit activity must evaluate the design, implementation, and effectiveness of the organizationís ethics-related objectives, programs, and activities; and assess whether the information technology governance of the organization supports the organizationís strategies and objectives.

2120 Risk Management Ė The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. The internal audit activity must evaluate risk exposures relating to the organizationís governance, operations, and information systems regarding the:
  • Achievement of the organizationís strategic objectives.
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations and programs.
  • Safeguarding of assets.
  • Compliance with laws, regulations, policies, procedures, and contracts.
The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

2130 Control Ė The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organizationís governance, operations, and information systems regarding the:
  • Achievement of the organizationís strategic objectives.
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations and programs.
  • Safeguarding of assets.
  • Compliance with laws, regulations, policies, procedures, and contracts.


Content Contact:
Anne Marie Douglas
(562) 951-4430
Technical Contact:
webmaster@calstate.edu

Last Updated: May 05, 2014